![]() ![]() We did come cross an impressive tool by skelsec called pypykatz which has a number of features including a Rekall plugin that retrieves credential material from a physical memory image. ![]() You probably guessed that we did not find any. We started to work on a Proof-of-Concept (PoC) by searching the Internet for Volatility and Rekall plugins that would create a minidump of specific processes. ![]() We wanted to find out if we could incorporate this approach into our red team operations. These concepts ultimately rely on virtual memory, but, at a very high-level, virtual memory is just an addressing method for data stored somewhere in physical memory. Anyone familiar with memory forensics knows that it is possible to analyze a physical memory image and obtain access to any process within it and its data - including credential material. How can we access credential material without interacting with the LSASS process?Ī key observation from our research was that credential theft attacks and consequently the defensive measures used to prevent them focus on access to the LSASS process, not the credential material. In order to defeat the blue team on the battle field of credential theft, we felt that it was not enough to refine an existing technique, we needed a fresh angle and that led us to the following problem statement: As a result, there are an increasing number of techniques to monitor access to it. The problem with the techniques described above is that security vendors are well aware that security professionals and criminal hackers want to gain access to the LSASS process’ memory space. There are of course several custom implementations of the above tools, as well as some more esoteric approaches like using comsvcs.dll, a Dynamic Link Library (DLL) that ships with Windows by default. These approaches have been documented on a number of security blogs, but the use of comsvcs.dll was recently introduced into LSASSY and as a result is featured heavily in an excellent blog post by Pixis titled Extract credentials from lsass remotely: The simplest approach is to right-click the LSASS process in Task Manager or use procdump from Microsoft’s Sysinternals suite. There are legitimate reasons to create minidumps of processes, which is why Microsoft provides the functionality required to create them. The beauty of this approach is that an attacker can first create a minidump of the LSASS process on their target system, exfiltrate it to the relative safety of their attacking machine, and then use Mimikatz offline to retrieve credentials far removed from any defensive security products. But, the simplest way for offensive security professionals to push back against these preventative measures was not to run Mimikatz on the endpoint at all, and so Mimikatz began providing support for 'minidumps' of LSASS. ![]() In certain situations it was possible to use obfuscation to evade detection. Initially, it was possible to execute Mimikatz on a target host directly, but security tooling quickly started to prevent against it. Mimikatz is the de facto standard and most comprehensive tool for credential theft attacks. The details of all of these techniques are beyond the scope of this post, here we'll be focusing on the process of retrieving credential material from the Local Security Authority Subsystem Service (LSASS). There are a number of different techniques that can be used to retrieve credentials from an endpoint. One of the most important aspects of lateral movement is credential theft which was the focus of this research - the process of using privileged access to an operating system to extract credential material. We wanted to push back too, and felt that lateral movement would be an interesting space to investigate due to the attention it receives from defensive security solutions. They found that they could leverage existing communication methods often found within enterprise environments to tunnel their C2 and have been using it successfully ever since the tool was released. The team behind C3 found that their command and control (C2) channels kept getting caught by the blue team and so they wanted to push back. WithSecure has previously released presentations and tooling around most of the elements of the kill chain, most notably Custom Command & Control (C3) in September 2019. These solutions are effective and are starting to hit red teamers where it hurts. Modern defensive security solutions use sophisticated techniques to prevent, detect and/or respond to malicious actions. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |